jcc-express-mvc 1.8.8 → 1.8.21

package/lib/Auth/AuthMiddleware.js

@@ -3,22 +3,27 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.authMiddleware = void 0;
 const Config_1 = require("../Config/Config");
 const util_1 = require("../util");
-const { User } = (0, util_1.getModel)("User");
 class AuthMiddleware {
     /** Middleware: API authentication */
     async apiAuth(req, res, next) {
+        const { User } = (0, util_1.getModel)("User");
         const token = req.headers.authorization?.split(" ")[1] || req.cookies.auth_token;
         if (!token)
             return res.status(401).json({ message: "Not authorized" });
         try {
-            const id = (0, util_1.jwtVerify)(token);
-            const user = Config_1.config.get("DB_ORM") === "mongodb"
+            const payload = (0, util_1.jwtVerify)(token);
+            if (!(0, util_1.checkJwtAccessTokenPayload)(payload).ok) {
+                return res.status(401).json({ message: "Not authorized" });
+            }
+            const id = (0, util_1.jwtSubjectId)(payload);
+            const user = Config_1.config.get("DB_ORM") === "mongodb" ||
+                Config_1.config.get("DB_ORM") === "mongoose"
                 ? await User.findById(id)
                 : await User.where("id", id).first();
             if (!user)
                 return res.status(401).json({ message: "Not authorized" });
             req.user = user;
-            req.id = id;
+            req.id = String(id);
             next();
         }
         catch (err) {
@@ -26,15 +31,26 @@ class AuthMiddleware {
         }
     }
     async auth(req, res, next) {
+        const { User } = (0, util_1.getModel)("User");
         const token = req.cookies.auth_token;
-        if (!token)
+        if (!token) {
+            req.jccSession?.put("redirect", req.url || "/");
             return res.redirect(`/login?redirect=${req.url || "/"}`);
+        }
         try {
             const payload = (0, util_1.jwtVerify)(token);
-            const user = await (0, util_1.findUserById)(User, payload.id);
+            if (!(0, util_1.checkJwtAccessTokenPayload)(payload).ok) {
+                res.clearCookie("auth_token", (0, util_1.authSessionCookieOptions)());
+                res.clearCookie("refresh_token", (0, util_1.authSessionCookieOptions)());
+                req.jccSession?.put("redirect", req.url || "/");
+                return res.redirect(`/login?redirect=${req.url || "/"}`);
+            }
+            const id = (0, util_1.jwtSubjectId)(payload);
+            const user = await (0, util_1.findUserById)(User, id);
             if (!user) {
-                res.clearCookie("auth_token");
-                res.clearCookie("refresh_token");
+                res.clearCookie("auth_token", (0, util_1.authSessionCookieOptions)());
+                res.clearCookie("refresh_token", (0, util_1.authSessionCookieOptions)());
+                req.jccSession?.put("redirect", req.url || "/");
                 return res.redirect(`/login?redirect=${req.url || "/"}`);
             }
             req.user = user;
@@ -42,8 +58,9 @@ class AuthMiddleware {
             next();
         }
         catch (err) {
-            res.clearCookie("auth_token");
-            res.clearCookie("refresh_token");
+            res.clearCookie("auth_token", (0, util_1.authSessionCookieOptions)());
+            res.clearCookie("refresh_token", (0, util_1.authSessionCookieOptions)());
+            req.jccSession?.put("redirect", req.url || "/");
             return res.redirect(`/login?redirect=${req.url || "/"}`);
         }
     }
@@ -55,8 +72,8 @@ class AuthMiddleware {
                     return res.redirect(303, req.previousUrls[1]);
                 }
                 else {
-                    res.clearCookie("auth_token");
-                    res.clearCookie("refresh_token");
+                    res.clearCookie("auth_token", (0, util_1.authSessionCookieOptions)());
+                    res.clearCookie("refresh_token", (0, util_1.authSessionCookieOptions)());
                     return res.redirect(303, req.url);
                 }
             }

package/lib/Auth/index.d.ts

@@ -1,16 +1,30 @@
 import { AppRequest, AppResponse, AppNext } from "../Interface";
+import { type IRefreshTokenStore } from "./refreshTokenStore";
 export declare class Authentication {
+    private static refreshStore;
+    /** Use a shared store (e.g. Redis) when running multiple app instances. */
+    static setRefreshTokenStore(store: IRefreshTokenStore): void;
     /** Get user lookup field (email, phone, username) */
     private static getCredentials;
     /** Fetch user from DB (MongoDB, Sequelize, or JCC ORM) */
     private static getUser;
-    /** Generate and attach tokens to cookies */
+    /** Generate and attach tokens to cookies (refresh is rotated server-side via `jti`). */
     private static setTokens;
     /** Handle user login attempt */
-    static attempt: (req: AppRequest, res: AppResponse, next: AppNext, redirect?: string) => Promise<void | AppResponse>;
+    static attempt: (next: AppNext, redirect?: string) => Promise<void>;
+    /**
+     * After the user is resolved (e.g. OAuth via Socialite), issue JWT cookies
+     * and redirect or JSON response like {@link Authentication.attempt}.
+     */
+    static completeLogin(req: AppRequest, res: AppResponse, userId: string | number, redirect?: string): Promise<void>;
     /** Refresh token middleware */
     static refreshToken(req: AppRequest, res: AppResponse, next: AppNext): Promise<AppResponse | undefined>;
     /** Logout handler */
-    static logout(req: AppRequest, res: AppResponse): void;
+    static logout(): void;
+    /** True when the access cookie is a valid, usable JWT (not refresh / disallowed legacy). */
+    static check(): boolean;
+    static user(): Record<string, any>;
+    static id(): any;
+    static socialLogin(userId: string | number): Promise<void>;
 }
 //# sourceMappingURL=index.d.ts.map

package/lib/Auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAehE,qBAAa,cAAc;IACzB,qDAAqD;IACrD,OAAO,CAAC,MAAM,CAAC,cAAc;IAc7B,0DAA0D;mBACrC,OAAO;IAoB5B,4CAA4C;IAC5C,OAAO,CAAC,MAAM,CAAC,SAAS;IAuBxB,gCAAgC;IAChC,MAAM,CAAC,OAAO,GACZ,KAAK,UAAU,EACf,KAAK,WAAW,EAChB,MAAM,OAAO,EACb,WAAU,MAAgB,iCAuB1B;IAEF,+BAA+B;WAClB,YAAY,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO;IAmB1E,qBAAqB;IACrB,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW;CAKhD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAgBhE,OAAO,EAEL,KAAK,kBAAkB,EACxB,MAAM,qBAAqB,CAAC;AAsB7B,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAC,YAAY,CAAgD;IAE3E,2EAA2E;IAC3E,MAAM,CAAC,oBAAoB,CAAC,KAAK,EAAE,kBAAkB,GAAG,IAAI;IAI5D,qDAAqD;IACrD,OAAO,CAAC,MAAM,CAAC,cAAc;IAc7B,0DAA0D;mBACrC,OAAO;IAqB5B,wFAAwF;IACxF,OAAO,CAAC,MAAM,CAAC,SAAS;IA0BxB,gCAAgC;IAChC,MAAM,CAAC,OAAO,GAAU,MAAM,OAAO,EAAE,WAAU,MAAgB,mBAqB/D;IAEF;;;OAGG;WACU,aAAa,CACxB,GAAG,EAAE,UAAU,EACf,GAAG,EAAE,WAAW,EAChB,MAAM,EAAE,MAAM,GAAG,MAAM,EACvB,QAAQ,GAAE,MAAgB,GACzB,OAAO,CAAC,IAAI,CAAC;IA4BhB,+BAA+B;WAClB,YAAY,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO;IAsC1E,qBAAqB;IACrB,MAAM,CAAC,MAAM;IAsBb,4FAA4F;IAC5F,MAAM,CAAC,KAAK,IAAI,OAAO;IAWvB,MAAM,CAAC,IAAI;IAIX,MAAM,CAAC,EAAE;WAII,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;CAGjD"}

package/lib/Auth/index.js

@@ -6,8 +6,28 @@ const util_1 = require("../util");
 const Config_1 = require("../Config/Config");
 const ValidationException_v2_1 = require("../Error/ValidationException-v2");
 const Jcc_eloquent_1 = require("../Jcc-eloquent");
-const { User } = (0, util_1.getModel)("User");
+const refreshTokenStore_1 = require("./refreshTokenStore");
+const REFRESH_TTL_MS = 7 * 24 * 60 * 60 * 1000;
+const ACCESS_MAX_AGE_MS = 60 * 60 * 1000;
+function clearAuthCookies(res) {
+    const base = (0, util_1.authSessionCookieOptions)();
+    res.clearCookie("auth_token", base);
+    res.clearCookie("refresh_token", base);
+}
+/** Avoid open redirects: only same-origin relative paths. */
+function safeInternalRedirect(url, fallback) {
+    if (!url || typeof url !== "string")
+        return fallback;
+    const t = url.trim();
+    if (t.startsWith("/") && !t.startsWith("//") && !t.includes("\\"))
+        return t;
+    return fallback;
+}
 class Authentication {
+    /** Use a shared store (e.g. Redis) when running multiple app instances. */
+    static setRefreshTokenStore(store) {
+        _a.refreshStore = store;
+    }
     /** Get user lookup field (email, phone, username) */
     static getCredentials(data) {
         const query = {};
@@ -24,12 +44,13 @@ class Authentication {
     }
     /** Fetch user from DB (MongoDB, Sequelize, or JCC ORM) */
     static async getUser(data) {
+        const { User } = (0, util_1.getModel)("User");
         const field = this.getCredentials(data);
         if (!Object.keys(field).length)
             return { user: null, field: "email" };
         let user = null;
         const orm = Config_1.config.get("DB_ORM");
-        if (orm === "mongodb") {
+        if (orm === "mongodb" || orm === "mongoose") {
             user = await User.findOne(field).select("+password");
         }
         else if (orm === "sequelize") {
@@ -43,54 +64,140 @@ class Authentication {
         }
         return { user, field: Object.keys(field)[0] || "email" };
     }
-    /** Generate and attach tokens to cookies */
+    /** Generate and attach tokens to cookies (refresh is rotated server-side via `jti`). */
     static setTokens(res, userId) {
-        const accessToken = (0, util_1.jwtSign)(userId.toString(), { expiresIn: "1h" });
-        const refreshToken = (0, util_1.jwtSign)(userId.toString(), { expiresIn: "7d" });
-        const cookieOptions = {
-            httpOnly: true,
-            secure: Config_1.config.get("APP_ENV") === "production",
-            sameSite: "lax",
-        };
+        const id = String(userId);
+        const jti = _a.refreshStore.generateJti();
+        _a.refreshStore.register(jti, id, REFRESH_TTL_MS);
+        const accessToken = (0, util_1.jwtSign)(id, { expiresIn: "1h" });
+        const refreshToken = (0, util_1.jwtSign)({ id, typ: "refresh", jti }, { expiresIn: "7d" });
+        const cookieOptions = (0, util_1.authSessionCookieOptions)();
         res.cookie("auth_token", accessToken, {
             ...cookieOptions,
-            maxAge: 1000 * 60 * 60, // 1 hour
+            maxAge: ACCESS_MAX_AGE_MS,
         });
         res.cookie("refresh_token", refreshToken, {
             ...cookieOptions,
-            maxAge: 1000 * 60 * 60 * 24 * 7, // 7 days
+            maxAge: REFRESH_TTL_MS,
         });
         return { accessToken, refreshToken };
     }
+    /**
+     * After the user is resolved (e.g. OAuth via Socialite), issue JWT cookies
+     * and redirect or JSON response like {@link Authentication.attempt}.
+     */
+    static async completeLogin(req, res, userId, redirect = "/home") {
+        const { User } = (0, util_1.getModel)("User");
+        const tokens = this.setTokens(res, userId);
+        const user = await (0, util_1.findUserById)(User, userId);
+        if (!user) {
+            if (req.expectsJson() && !req.isInertia()) {
+                res.status(401).json({ message: "Unauthorized" });
+            }
+            else {
+                req.jccSession?.flash("error", "Could not sign you in.");
+                res.redirect(303, "/login");
+            }
+            return;
+        }
+        if (req.expectsJson() && !req.isInertia()) {
+            const plain = typeof user?.toObject === "function" ? user.toObject() : user;
+            res.status(200).json({
+                tokens: { accessToken: tokens.accessToken },
+                user: plain,
+            });
+            return;
+        }
+        const sessionRedirect = req.jccSession?.get("redirect") || "";
+        req.jccSession?.forget("redirect");
+        const redirectTo = safeInternalRedirect(sessionRedirect, redirect);
+        res.redirect(303, redirectTo);
+    }
     /** Refresh token middleware */
     static async refreshToken(req, res, next) {
+        const { User } = (0, util_1.getModel)("User");
         try {
             const refreshToken = req.cookies.refresh_token;
             if (!refreshToken)
                 throw new Error("No refresh token");
-            const userId = (0, util_1.jwtVerify)(refreshToken);
+            const payload = (0, util_1.jwtVerify)(refreshToken);
+            const kind = (0, util_1.jwtTokenType)(payload);
+            if (kind === "access") {
+                throw new Error("Invalid refresh token");
+            }
+            const jti = payload != null &&
+                typeof payload === "object" &&
+                typeof payload.jti === "string"
+                ? payload.jti
+                : "";
+            if (!jti) {
+                throw new Error("Invalid refresh token");
+            }
+            const session = _a.refreshStore.consume(jti);
+            const userId = (0, util_1.jwtSubjectId)(payload);
+            if (!session || session.userId !== String(userId)) {
+                throw new Error("Invalid refresh token");
+            }
             this.setTokens(res, userId);
-            // Use universal finder
             req.user = await (0, util_1.findUserById)(User, userId);
             next();
         }
         catch (error) {
-            res.clearCookie("auth_token");
-            res.clearCookie("refresh_token");
+            clearAuthCookies(res);
             return res.status(401).json({ message: "Unauthorized" });
         }
     }
     /** Logout handler */
-    static logout(req, res) {
-        res.clearCookie("auth_token");
-        res.clearCookie("refresh_token");
+    static logout() {
+        const req = request();
+        const res = response();
+        try {
+            const rt = req.cookies?.refresh_token;
+            if (rt) {
+                const payload = (0, util_1.jwtVerify)(rt);
+                if (payload != null &&
+                    typeof payload === "object" &&
+                    typeof payload.jti === "string") {
+                    _a.refreshStore.revoke(payload.jti);
+                }
+            }
+        }
+        catch {
+            /* expired or malformed */
+        }
+        clearAuthCookies(res);
         return res.redirect("/login");
     }
+    /** True when the access cookie is a valid, usable JWT (not refresh / disallowed legacy). */
+    static check() {
+        const token = request().cookies?.auth_token;
+        if (!token)
+            return false;
+        try {
+            const payload = (0, util_1.jwtVerify)(token);
+            return (0, util_1.checkJwtAccessTokenPayload)(payload).ok;
+        }
+        catch {
+            return false;
+        }
+    }
+    static user() {
+        return request().user;
+    }
+    static id() {
+        return request().user?.id || request().user?._id;
+    }
+    static async socialLogin(userId) {
+        return this.completeLogin(request(), response(), userId, "/home");
+    }
 }
 exports.Authentication = Authentication;
 _a = Authentication;
+Authentication.refreshStore = refreshTokenStore_1.defaultRefreshTokenStore;
 /** Handle user login attempt */
-Authentication.attempt = async (req, res, next, redirect = "/home") => {
+Authentication.attempt = async (next, redirect = "/home") => {
+    const req = request();
+    const res = response();
     try {
         const { user, field } = await _a.getUser(req.body);
         if (!user)
@@ -98,12 +205,7 @@ Authentication.attempt = async (req, res, next, redirect = "/home") => {
         if (!(await (0, util_1.verifyHash)(req.body.password, user.password))) {
             throw new ValidationException_v2_1.ValidationException({ [field]: ["Invalid credentials"] });
         }
-        const tokens = _a.setTokens(res, user.id || user._id);
-        if (req.expectsJson() && !req.isInertia()) {
-            return res.status(200).json({ tokens, user });
-        }
-        const redirectTo = req.query.redirect?.toString() || redirect;
-        return res.redirect(303, redirectTo);
+        await _a.completeLogin(req, res, user.id || user._id, redirect);
     }
     catch (error) {
         next(error);

package/lib/Auth/loginRateLimit.d.ts

@@ -0,0 +1,6 @@
+import type { RequestHandler } from "express";
+/** Stricter limit for login attempts (per IP). */
+export declare const loginRateLimit: RequestHandler;
+/** Stricter limit for registration (per IP). */
+export declare const registerRateLimit: RequestHandler;
+//# sourceMappingURL=loginRateLimit.d.ts.map

package/lib/Auth/loginRateLimit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loginRateLimit.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Auth/loginRateLimit.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE9C,kDAAkD;AAClD,eAAO,MAAM,cAAc,EAAE,cAO3B,CAAC;AAEH,gDAAgD;AAChD,eAAO,MAAM,iBAAiB,EAAE,cAO9B,CAAC"}

package/lib/Auth/loginRateLimit.js

@@ -0,0 +1,25 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerRateLimit = exports.loginRateLimit = void 0;
+const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
+/** Stricter limit for login attempts (per IP). */
+exports.loginRateLimit = (0, express_rate_limit_1.default)({
+    windowMs: 15 * 60 * 1000,
+    max: 20,
+    message: { message: "Too many login attempts. Try again later." },
+    standardHeaders: true,
+    legacyHeaders: false,
+    validate: { trustProxy: false },
+});
+/** Stricter limit for registration (per IP). */
+exports.registerRateLimit = (0, express_rate_limit_1.default)({
+    windowMs: 60 * 60 * 1000,
+    max: 10,
+    message: { message: "Too many registration attempts. Try again later." },
+    standardHeaders: true,
+    legacyHeaders: false,
+    validate: { trustProxy: false },
+});

package/lib/Auth/refreshTokenStore.d.ts

@@ -0,0 +1,24 @@
+export type RefreshSession = {
+    userId: string;
+    expiresAt: number;
+};
+/** Pluggable store for refresh-token `jti` rotation (swap for Redis in multi-instance). */
+export interface IRefreshTokenStore {
+    generateJti(): string;
+    register(jti: string, userId: string, ttlMs: number): void;
+    /** Remove and return the session if `jti` is valid and not expired. */
+    consume(jti: string): RefreshSession | undefined;
+    revoke(jti: string): void;
+    revokeAllForUser(userId: string): void;
+}
+export declare class MemoryRefreshTokenStore implements IRefreshTokenStore {
+    private readonly byJti;
+    generateJti(): string;
+    register(jti: string, userId: string, ttlMs: number): void;
+    consume(jti: string): RefreshSession | undefined;
+    revoke(jti: string): void;
+    revokeAllForUser(userId: string): void;
+    private prune;
+}
+export declare const defaultRefreshTokenStore: MemoryRefreshTokenStore;
+//# sourceMappingURL=refreshTokenStore.d.ts.map

package/lib/Auth/refreshTokenStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refreshTokenStore.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Auth/refreshTokenStore.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,cAAc,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnE,2FAA2F;AAC3F,MAAM,WAAW,kBAAkB;IACjC,WAAW,IAAI,MAAM,CAAC;IACtB,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3D,uEAAuE;IACvE,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS,CAAC;IACjD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACxC;AAED,qBAAa,uBAAwB,YAAW,kBAAkB;IAChE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAqC;IAE3D,WAAW,IAAI,MAAM;IAIrB,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAQ1D,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAQhD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAIzB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAMtC,OAAO,CAAC,KAAK;CAMd;AAED,eAAO,MAAM,wBAAwB,yBAAgC,CAAC"}

package/lib/Auth/refreshTokenStore.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultRefreshTokenStore = exports.MemoryRefreshTokenStore = void 0;
+const crypto_1 = require("crypto");
+class MemoryRefreshTokenStore {
+    constructor() {
+        this.byJti = new Map();
+    }
+    generateJti() {
+        return (0, crypto_1.randomBytes)(32).toString("hex");
+    }
+    register(jti, userId, ttlMs) {
+        this.prune();
+        this.byJti.set(jti, {
+            userId,
+            expiresAt: Date.now() + ttlMs,
+        });
+    }
+    consume(jti) {
+        const row = this.byJti.get(jti);
+        if (!row)
+            return undefined;
+        this.byJti.delete(jti);
+        if (Date.now() > row.expiresAt)
+            return undefined;
+        return row;
+    }
+    revoke(jti) {
+        this.byJti.delete(jti);
+    }
+    revokeAllForUser(userId) {
+        for (const [k, v] of this.byJti) {
+            if (v.userId === userId)
+                this.byJti.delete(k);
+        }
+    }
+    prune() {
+        const now = Date.now();
+        for (const [k, v] of this.byJti) {
+            if (v.expiresAt < now)
+                this.byJti.delete(k);
+        }
+    }
+}
+exports.MemoryRefreshTokenStore = MemoryRefreshTokenStore;
+exports.defaultRefreshTokenStore = new MemoryRefreshTokenStore();

package/lib/Command-Line/DBCommand.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"DBCommand.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Command-Line/DBCommand.ts"],"names":[],"mappings":"AAMA,qBAAa,SAAS;IACpB,OAAO,CAAC,WAAW,CAA0C;IAE7D,OAAO,CAAC,YAAY;IAQd,IAAI;IAqBJ,YAAY,CAAC,UAAU,EAAE,MAAM;IAW/B,IAAI;CA+BX"}
+{"version":3,"file":"DBCommand.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Command-Line/DBCommand.ts"],"names":[],"mappings":"AAMA,qBAAa,SAAS;IACpB,OAAO,CAAC,WAAW,CAA0C;IAE7D,OAAO,CAAC,YAAY;IAad,IAAI;IAqBJ,YAAY,CAAC,UAAU,EAAE,MAAM;IAW/B,IAAI;CA+BX"}

package/lib/Command-Line/DBCommand.js

@@ -14,11 +14,17 @@ class DBCommand {
         this.seedersPath = `${rootPath}/database/seeders`;
     }
     getSeederDir(seederFile) {
+        const base = `${this.seedersPath}/${seederFile}`;
         try {
-            return require(`${this.seedersPath}/${seederFile}`);
+            return require(base);
         }
-        catch (error) {
-            console.log(`Can't get the seeder with name of ${seederFile}`);
+        catch {
+            try {
+                return require(`${base}.ts`);
+            }
+            catch {
+                console.log(`Can't get the seeder with name of ${seederFile}`);
+            }
         }
     }
     async seed() {

package/lib/Command-Line/KeyGenerateCommand.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Generate a cryptographically strong secret (64 hex chars = 32 bytes).
+ * Default env key: JWT_SECRET (meets production length checks in this framework).
+ */
+export declare function runKeyGenerate(firstArg?: string, secondArg?: string): void;
+//# sourceMappingURL=KeyGenerateCommand.d.ts.map

package/lib/Command-Line/KeyGenerateCommand.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"KeyGenerateCommand.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Command-Line/KeyGenerateCommand.ts"],"names":[],"mappings":"AAUA;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,SAAK,EAAE,SAAS,SAAK,GAAG,IAAI,CAoClE"}

package/lib/Command-Line/KeyGenerateCommand.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runKeyGenerate = runKeyGenerate;
+const crypto_1 = require("crypto");
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const app_root_path_1 = __importDefault(require("app-root-path"));
+const colors_1 = __importDefault(require("colors"));
+function escapeRegex(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+/**
+ * Generate a cryptographically strong secret (64 hex chars = 32 bytes).
+ * Default env key: JWT_SECRET (meets production length checks in this framework).
+ */
+function runKeyGenerate(firstArg = "", secondArg = "") {
+    const showOnly = firstArg === "show" ||
+        secondArg === "show" ||
+        secondArg === "--show";
+    const keyName = firstArg && firstArg !== "show" ? firstArg : "JWT_SECRET";
+    const value = (0, crypto_1.randomBytes)(32).toString("hex");
+    if (showOnly) {
+        console.log(colors_1.default.green(`${keyName}=`) + value);
+        return;
+    }
+    const envPath = path_1.default.join(app_root_path_1.default.path, ".env");
+    if (!fs_1.default.existsSync(envPath)) {
+        console.log(colors_1.default.yellow(".env not found. Add this line to your environment file:\n"));
+        console.log(colors_1.default.cyan(`${keyName}=${value}\n`));
+        return;
+    }
+    let contents = fs_1.default.readFileSync(envPath, "utf8");
+    const re = new RegExp(`^${escapeRegex(keyName)}=.*$`, "m");
+    const line = `${keyName}=${value}`;
+    if (re.test(contents)) {
+        contents = contents.replace(re, line);
+    }
+    else {
+        contents = contents.replace(/\s*$/, "") + "\n" + line + "\n";
+    }
+    fs_1.default.writeFileSync(envPath, contents, "utf8");
+    console.log(colors_1.default.green(`✓ Set ${keyName} in .env`) +
+        colors_1.default.gray(` (${value.length} characters)`));
+}

package/lib/Command-Line/NodeArtisanCommand.d.ts

@@ -9,12 +9,14 @@ export declare class ConsoleKernel {
     private _make;
     private _route;
     private _schedule;
+    private _watch;
     private _app;
     private get migrate();
     private get db();
     private get make();
     private get route();
     private get schedule();
+    private get watch();
     private app;
     constructor();
     /** Load user commands from app/Console/Command (guarded, non-blocking for missing dir) */

package/lib/Command-Line/NodeArtisanCommand.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"NodeArtisanCommand.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Command-Line/NodeArtisanCommand.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAoCpC,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAiB;IACzC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAK1B;IACF,OAAO,CAAC,cAAc,CAA0B;IAChD,OAAO,CAAC,QAAQ,CAAwB;IACxC,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,KAAK,CAA4B;IACzC,OAAO,CAAC,MAAM,CAA6B;IAC3C,OAAO,CAAC,SAAS,CAAgC;IACjD,OAAO,CAAC,IAAI,CAAc;IAE1B,OAAO,KAAK,OAAO,GAElB;IAED,OAAO,KAAK,EAAE,GAEb;IAED,OAAO,KAAK,IAAI,GAEf;IAED,OAAO,KAAK,KAAK,GAEhB;IAED,OAAO,KAAK,QAAQ,GAEnB;IACD,OAAO,CAAC,GAAG;;IAWX,0FAA0F;IAC1F,OAAO,CAAC,kBAAkB;IA0B1B,OAAO,CAAC,aAAa;IAOrB,wFAAwF;IACxF,OAAO,CAAC,SAAS;IAkBjB,OAAO,CAAC,aAAa;IAkKrB,OAAO,CAAC,QAAQ;IAwHhB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;CA4BpD"}
+{"version":3,"file":"NodeArtisanCommand.d.ts","sourceRoot":"","sources":["../../../jcc-express-mvc/lib/Command-Line/NodeArtisanCommand.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAsCpC,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAiB;IACzC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAK1B;IACF,OAAO,CAAC,cAAc,CAA0B;IAChD,OAAO,CAAC,QAAQ,CAAwB;IACxC,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,KAAK,CAA4B;IACzC,OAAO,CAAC,MAAM,CAA6B;IAC3C,OAAO,CAAC,SAAS,CAAgC;IACjD,OAAO,CAAC,MAAM,CAA6B;IAC3C,OAAO,CAAC,IAAI,CAAc;IAE1B,OAAO,KAAK,OAAO,GAElB;IAED,OAAO,KAAK,EAAE,GAEb;IAED,OAAO,KAAK,IAAI,GAEf;IAED,OAAO,KAAK,KAAK,GAEhB;IAED,OAAO,KAAK,QAAQ,GAEnB;IAED,OAAO,KAAK,KAAK,GAEhB;IACD,OAAO,CAAC,GAAG;;IAWX,0FAA0F;IAC1F,OAAO,CAAC,kBAAkB;IA0B1B,OAAO,CAAC,aAAa;IAOrB,wFAAwF;IACxF,OAAO,CAAC,SAAS;IAkBjB,OAAO,CAAC,aAAa;IAoLrB,OAAO,CAAC,QAAQ;IA+HhB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;CA4BpD"}

package/lib/Command-Line/NodeArtisanCommand.js

@@ -18,7 +18,9 @@ const MakeCommand_1 = require("./MakeCommand");
 const RouteCommand_1 = require("./RouteCommand");
 const ScheduleCommand_1 = require("./ScheduleCommand");
 const InertiaCommand_1 = require("./InertiaCommand");
+const KeyGenerateCommand_1 = require("./KeyGenerateCommand");
 const Tinker_1 = require("./NodeTinker/Tinker");
+const WatchCommand_1 = require("./WatchCommand");
 const util_1 = require("../util");
 /** Parse key=value from secondArg (e.g. steps=2, class=UserSeeder) */
 const parseOption = (secondArg, key) => {
@@ -43,6 +45,9 @@ class ConsoleKernel {
     get schedule() {
         return (this._schedule ??= new ScheduleCommand_1.ScheduleCommand());
     }
+    get watch() {
+        return (this._watch ??= new WatchCommand_1.WatchCommand());
+    }
     app() {
         const bootstrap = require(`${app_root_path_1.default.path}/bootstrap/app`);
         const app = bootstrap.app;
@@ -57,6 +62,7 @@ class ConsoleKernel {
         this._make = null;
         this._route = null;
         this._schedule = null;
+        this._watch = null;
         this._app = this.app();
         this.loadCustomCommands();
     }
@@ -184,13 +190,22 @@ class ConsoleKernel {
                 : undefined;
             return this.route.display(mw);
         }));
-        this.defineCommand("tinker").action(this.runAction(() => Tinker_1.tinker.start(), { exit: false }));
-        this.defineCommand("inertia:start-ssr").action(this.runAction(() => InertiaCommand_1.InertiaCommand.startInertiaSSR()));
+        this.defineCommand("tinker").action(this.runAction(() => (0, Tinker_1.getTinker)().start(), { exit: false }));
+        this.defineCommand("inertia:start-ssr").action(this.runAction(() => InertiaCommand_1.InertiaCommand.startInertiaSSR(), { exit: false }));
+        this.defineCommand("serve")
+            .alias("watch")
+            .action(this.runAction((firstArg) => this.watch.run(firstArg || "server.ts"), {
+            exit: false,
+        }));
         // ─── schedule (was missing) ─────────────────────────────────────────
         this.defineCommand("schedule:run").action(this.runAction(() => this.schedule.run(), { exit: false }));
         this.defineCommand("schedule:list").action(this.runAction(() => this.schedule.list()));
         // ─── build ──────────────────────────────────────────────────────────
         this.defineCommand("build").action(this.runAction(() => (0, buildCommand_1.BuildCommand)()));
+        // ─── key (JWT / app secrets) ─────────────────────────────────────────
+        this.defineCommand("key:generate")
+            .description("Generate a random secret (default: JWT_SECRET in .env). Use 'show' to print only.")
+            .action(this.runAction((firstArg, secondArg) => (0, KeyGenerateCommand_1.runKeyGenerate)(firstArg ?? "", secondArg ?? "")));
         // ─── custom user commands ────────────────────────────────────────────
         for (const { signature, description, CommandClass } of this
             .customCommands) {
@@ -235,7 +250,9 @@ class ConsoleKernel {
         console.log(line("route:list [middleware=]", "Display routes (optionally filtered)\n"));
         console.log(section("⚡ Development Tools:"));
         console.log(line("tinker", "Start the interactive Tinker REPL"));
-        console.log(line("build", "Build the application for production\n"));
+        console.log(line("serve [entry]", "Watch files and restart app on changes"));
+        console.log(line("build", "Build the application for production"));
+        console.log(line("key:generate [name] [show]", "Random secret → .env (default JWT_SECRET); name=env key, show=print only") + "\n");
         console.log(section("⏰ Schedule Commands:"));
         console.log(line("schedule:run", "Run scheduled tasks (runs continuously)"));
         console.log(line("schedule:list", "List all scheduled tasks\n"));

package/lib/Command-Line/NodeTinker/Tinker.d.ts

@@ -126,6 +126,9 @@ export declare class Tinker {
      */
     private exit;
 }
-declare const tinker: Tinker;
-export { tinker };
+/**
+ * Lazily construct Tinker so importing the artisan kernel does not attach
+ * readline to stdin/stdout (which felt like Tinker “running” for every command).
+ */
+export declare function getTinker(config?: TinkerConfig): Tinker;
 //# sourceMappingURL=Tinker.d.ts.map